690f43578d
Complete Content-Type application/json fix for all AJAX responses - Add missing return statements to all ->response->setJSON() calls - Fix Items.php method calls from JSON() to setJSON() - Convert echo statements to proper JSON responses - Ensure consistent Content-Type headers across all controllers - Fix 46+ instances across 12 controller files - Change Config.php methods to : ResponseInterface (all return setJSON only): - postSaveRewards(), postSaveBarcode(), postSaveReceipt() - postSaveInvoice(), postRemoveLogo() - Update PHPDoc @return tags - Change Receivings.php _reload() to : string (only returns view) - Change Receivings.php methods to : string (all return _reload()): - getIndex(), postSelectSupplier(), postChangeMode(), postAdd() - postEditItem(), getDeleteItem(), getRemoveSupplier() - postComplete(), postRequisitionComplete(), getReceipt(), postCancelReceiving() - Change postSave() to : ResponseInterface (returns setJSON) - Update all PHPDoc @return tags Fix XSS vulnerabilities in sales templates, login, and config pages This commit addresses 5 XSS vulnerabilities by adding proper escaping to all user-controlled configuration values in HTML contexts. Fixed Files: - app/Views/sales/invoice.php: Escaped company_logo (URL context) and company (HTML) - app/Views/sales/work_order.php: Escaped company_logo (URL context) - app/Views/sales/receipt_email.php: Added file path validation and escaping for logo - app/Views/login.php: Escaped all config values in title, logo src, and alt - app/Views/configs/info_config.php: Escaped company_logo (URL context) Security Impact: - Prevents stored XSS attacks if configuration is compromised - Defense-in-depth principle applied to administrative interfaces - Follows OWASP best practices for output encoding Testing: - Verified no script execution with XSS payloads in config values - Confirmed proper escaping in HTML, URL, and file contexts - All templates render correctly with valid configuration Severity: High (4 files), Medium-High (1 file) CVSS Score: ~6.1 CWE: CWE-79 (Improper Neutralization of Input During Web Page Generation) Fix critical password validation bypass and add unit tests This commit addresses a critical security vulnerability where the password minimum length check was performed on the HASHED password (always 60 characters for bcrypt) instead of the actual password before hashing. Vulnerability Details: - Original code: strlen($employee_data['password']) >= 8 - This compared the hash length (always 60) instead of raw password - Impact: Users could set 1-character passwords like "a" - Severity: Critical (enables brute force attacks on weak passwords) - CVE-like issue: CWE-307 (Improper Restriction of Excessive Authentication Attempts) Fix Applied: - Validate password length BEFORE hashing - Clear error message when password is too short - Added unit tests to verify minimum length enforcement - Regression test to prevent future vulnerability re-introduction Test Coverage: - testPasswordMinLength_Rejects7Characters: Verify 7 chars rejected - testPasswordMinLength_Accepts8Characters: Verify 8 chars accepted - testPasswordMinLength_RejectsEmptyString: Verify empty rejected - testPasswordMinLength_RejectsWhitespaceOnly: Verify whitespace rejected - testPasswordMinLength_AcceptsSpecialCharacters: Verify special chars OK - testPasswordMinLength_RejectsPreviousBehavior: Regression test for bug Files Modified: - app/Controllers/Home.php: Fixed password validation logic - tests/Controllers/HomeTest.php: Added comprehensive unit tests Security Impact: - Enforces 8-character minimum password policy - Prevents extremely weak passwords that facilitate brute-force attacks - Critical for credential security and user account protection Breaking Changes: - Users with passwords < 8 characters will need to reset their password - This is the intended security improvement Severity: Critical CVSS Score: ~7.5 CWE: CWE-305 (Authentication Bypass by Primary Weakness), CWE-307 Add GitHub Actions workflow to run PHPUnit tests Move business logic from views to controllers for better separation of concerns - Move logo URL computation from info_config view to Config::getIndex() - Move image base64 encoding from receipt_email view to Sales controller - Improves separation of concerns by keeping business logic in controllers - Simplifies view templates to only handle presentation Fix XSS vulnerabilities in report views - escape user-controllable summary data and labels Fix base64 encoding URL issue in delete payment - properly URL encode base64 string Fix remaining return type declarations for Sales controller Fixed additional methods that call _reload(): - postAdd() - returns _reload($data) - postAddPayment() - returns _reload($data) - postEditItem() - returns _reload($data) - postSuspend() - returns _reload($data) - postSetPaymentType() - returns _reload() All methods now return ResponseInterface|string to match _reload() signature. This resolves PHP TypeError errors.
Open Source Point of Sale
Introduction · Demo · Installation · Contributing · Bugs · FAQ · Donate · License · Credits
👋 Introduction
Open Source Point of Sale is a web-based point of sale system. The application is written in PHP, uses MySQL (or MariaDB) as the data storage back-end, and has a simple but intuitive user interface.
The latest 3.4 version is a complete overhaul of the original software. It uses CodeIgniter 4 as a framework and is based on Bootstrap 3 using Bootswatch themes. Along with improved functionality and security.
The features include:
- Stock management (items and kits with an extensible list of attributes)
- VAT, GST, customer, and multi tiers taxation
- Sale register with transactions logging
- Quotation and invoicing
- Expenses logging
- Cash up function
- Printing and emailing of receipts, invoices and quotations
- Barcode generation and printing
- Database of customers and suppliers
- Multiuser with permission control
- Reporting on sales, orders, expenses, inventory status and more
- Receivings
- Gift cards
- Rewards
- Restaurant tables
- Messaging (SMS)
- Multilanguage
- Selectable Bootstrap based UI theme with Bootswatch
- MailChimp integration
- Optional Google reCAPTCHA to protect the login page from brute force attacks
- GDPR ready
🧪 Live Demo
We've got a live version of our latest master running for you to play around with and test everything out. It's a containerized install that will reinitialize when new functionality is merged into our code repository.
You can find the demo here and log in with these credentials.
👤 Username admin
🔒 Password pointofsale
If you bump into an issue, please check the status page here to confirm if the server is up and running.
🖥️ Development Demo
Besides the demo of the latest master, we also have a development server that builds when there's a new commit to our repository. It's mainly used for testing out new code before merging it into the master. It can be found here.
The log in credentials are the same as the regular live demo.
💾 Installation
Please refrain from creating issues about installation problems before having read the FAQ and going through existing GitHub issues. We have a build pipeline that checks the sanity of our latest repository commit, and in case the application itself is broken then our build will be as well.
This application can be set up in many different ways and we only support the ones described in the INSTALL.md file.
For more information and recommendations on support hardware, like receipt printers and barcode scanners, read this page on our wiki.
✨ Contributing
Everyone is more than welcome to help us improve this project. If you think you've got something to help us go forward, feel free to open a pull request or join the conversation on Element.
Want to help translate Open Source Point of Sale in your language? You can find our Weblate here, sign up, and start translating. You can subscribe to different languages to receive a notification once a new string is added or needs updating. Have a look at our guidelines below to help you get started.
Only with the help of the community, we can keep language translations up to date. Thanks!
🐛 Reporting Bugs
Before creating a new issue, you'll need copy and include the info under the System Info tab in the configuration section in most cases. If that information is not provided in full, your issue might be tagged as pending.
If you're reporting a potential security issue, please refer to our security policy found in the SECURITY.md file.
NOTE: If you're running non-release code, please make sure you always run the latest database upgrade script and download the latest master code.
📖 FAQ
-
If you get the message
system folder missing, then you have cloned the source using git and you need to run a build first. Check INSTALL.md for instructions or download latest zip file from GitHub releases instead. -
If at login time you read
The installation is not correct, check your php.ini file., please check the error_log inpublicfolder to understand what's wrong and make sure you read the INSTALL.md. To know how to enableerror_log, please read the comment in issue #1770. -
If you installed your OSPOS under a web server subdir, please edit
public/.htaccessand go to the lines with the commentsif in web rootorif in subdir, uncomment one and replace<OSPOS path>with your path, and follow the instruction on the second comment line. If you face more issues, please read issue #920 for more information. -
Apache server configurations are SysAdmin issues and not strictly related to OSPOS. Please make sure you can show a "Hello world" HTML page before pointing to OSPOS public directory. Make sure
.htaccessis correctly configured. -
If the avatar pictures are not shown in items or at item save you get an error, please make sure your
writableand subdirs are assigned to the correct owner and the access permission is set to750. -
If you install OSPOS in Docker behind a proxy that performs
ssloffloading, you can enable the URL generated to be HTTPS instead of HTTP, by activating the environment variableFORCE_HTTPS = 1. -
If you install OSPOS behind a proxy and OSPOS constantly drops your session, consider whitelisting the proxy IP address by setting
public array $proxyIPs = [];in the main PHP config file. -
If you have suhosin installed and face an issue with CSRF, please make sure you read issue #1492.
-
PHP
≥ 8.1is required to run this app.
🏃 Keep the Machine Running
If you like our project, please consider buying us a coffee through the button below so we can keep adding features.
Or refer to the FUNDING.yml file.
If you choose to deploy OSPOS in the cloud, you can contribute to the project by using DigitalOcean and signing up through our referral link. You'll receive a free $200, 60-day credit if you run OSPOS in a DigitalOcean droplet through our referral link.
📄 License
Open Source Point of Sale is licensed under MIT terms with an important addition:
The footer signature "© 2010 - current year · opensourcepos.org · 3.x.x - hash" including the version, hash and link to our website MUST BE RETAINED, MUST BE VISIBLE IN EVERY PAGE and CANNOT BE MODIFIED.
Also worth noting:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
For more details please read the LICENSE file.
It's important to understand that although you are free to use the application, the copyright has to stay and the license agreement applies in all cases. Therefore, any actions like:
- Removing LICENSE and/or any license files is prohibited
- Authoring the footer notice replacing it with your own or even worse claiming the copyright is absolutely prohibited
- Claiming full ownership of the code is prohibited
In short, you are free to use the application, but you cannot claim any property on it.
Any person or company found breaching the license agreement might find a bunch of monkeys at the door ready to destroy their servers.
🙏 Credits
DigitalOcean |
JetBrains |
Travis CI |
|---|---|---|
| Many thanks to DigitalOcean for providing the project with hosting credits. | Many thanks to JetBrains for providing a free license of IntelliJ IDEA to kindly support the development of OSPOS. | Many thanks to Travis CI for providing a free continuous integration service for open source projects. |